There certainly seems to be an odd influx of breach stories related to archives this week. Health services at the University of Maine have reported the breach of medical information for nearly 5,000 students. It’s a situation that could have been easily prevented by having the appropriate policies and security tools, like data encryption software.
From 2002 to This Past Week
The breach was discovered when staff at the UMaine Counseling Center noticed that their computers were running slow. An investigation showed that they had been hacked. Unfortunately, the computers contained databases with names, SSNs, and clinical information for 4,585 students who visited the counseling center between 2002 and 2005.
A second computer was hacked later, which contained an active database.
Archives. Were They Protected?
As I often mention, there is only so much that encryption can do. In the above example, an active database was involved. Now, it’s possible to encrypt such a database, which would have protected the students’ information if the database file were downloaded wholesale.
However, being an active database, at some point someone would have to enter a password to access the data. The hacker could easily obtain the password by installing a keystroke logging program. The only way to protect the active database would have been by ensuring that UMaine’s computers were not hacked in the first place.
This, however, is not necessarily so with the archived information. There are many reasons for archiving information, but it’s usually because it’s not used but needs to be kept around. While the danger of gaining a password via a key logger still exists, it’s much lower than what would be expected for an active database.
UMaine should have stored that archive after running it through some kind of file encryption program, such as AlertBoot, which uses AES-256 based encryption.
Related Articles and Sites: